On Wed, Sep 23, 2009 at 09:39:33AM +0100, Tvrtko Ursulin wrote:
Lived with it because there was no other option. We used LSM while it was
available for modules but then it was taken away.
And not all vendors even use syscall interception, not even across platforms,
of which you sound so sure about. You can't even scan something which is not
in your namespace if you are at the syscall level. And you can't catch things
like kernel nfsd. No, syscall interception is not really appropriate at all.
The "Anti-Malware" industry is just snake oil anyway. I think the
proper approach to support it is just to add various no-op exports claim
to do something and all the people requiring anti-virus on Linux will be
just as happy with it.